# Kubernetes {% hint style="info" %} For an overview of the available Kubernetes features and supported platforms, please see our [Kubernetes guide](/admin/resources/clusters.md). {% endhint %} ## Overview This guide describes how to manage access to a Kubernetes cluster via the StrongDM Admin UI. This process involves creating and configuring a new cluster in the Admin UI and checking the connection to your Kubernetes API server. {% hint style="info" %} If you would like to learn more about how to enable automatic resource discovery within your Kubernetes cluster, or use privilege levels to allow users to request various levels of access to the Kubernetes cluster, please read the [Kubernetes Discovery and Privilege Levels](/admin/resources/clusters/kubernetes-management.md) section to learn more about those features prior to following this configuration guide. {% endhint %} ## Prerequisites Ensure that the Kubernetes API server that you are adding to StrongDM is accessible from your StrongDM gateways or relays. See our guide on [nodes](/admin/networking/gateways-and-relays.md) for more information. {% hint style="info" %} Your gateways or relays must be able to connect to the entry you choose for the hostname. To verify the connection, use the command prompt from the gateway or relay server and type `nc -z port`. If your server can connect to this hostname, you can proceed. {% endhint %} {% hint style="info" %} If you are using kubectl 1.30 or higher, it will default to using websockets, which the StrongDM client did not support prior to version 45.35.0. This can be remedied by taking one of the following actions: * Update your client to version 45.35.0 or greater. * Set the environment variable `KUBECTL_REMOTE_COMMAND_WEBSOCKETS=false` to restore the previous behavior in your kubectl. {% endhint %} ## Resource Configuration in StrongDM This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs. {% tabs %} {% tab title="Admin UI" %} **Set up and Manage With the Admin UI** If using the Admin UI to add the resource to StrongDM, use the following steps. 1. Log in to the Admin UI and go to **Infrastructure > Clusters**. 2. Click the **Add Resource** button. 3. Select **Kubernetes** as the **Resource Type** and set other [resource properties](#resource-properties) to configure how the StrongDM relay connects. 4. Click **Create** to save the resource. The Admin UI updates and shows your new cluster in a green or yellow state. Green indicates a successful connection. If it is yellow, click the **pencil** icon to the right of the server to reopen the **Connection Details** screen. Then click **Diagnostics** to determine where the connection is failing. {% endtab %} {% tab title="CLI" %} **Set up and Manage With the CLI** This section provides general steps on how to configure and manage the resource using the StrongDM CLI. For more information and examples, please see the [CLI Reference](https://docs.strongdm.com/references/cli) documentation. 1. In your terminal or Command Prompt, log in to StrongDM: ```sh sdm login ``` 2. Run `sdm admin clusters add kubernetes --help` to view the help text for the command, which shows you how to use the command and what options (properties) are available. Note which [properties](#resource-properties) are required and collect the values for them. ```sh NAME: sdm admin clusters add k8s - create Kubernetes cluster USAGE: sdm admin clusters add k8s [command options] OPTIONS: --allow-resource-role-bypass (For legacy orgs) allows users to fallback to the existing authentication mode (Leased Credential or Identity Set) when a resource role is not provided. --bind-interface value IP address on which to listen for connections to this resource on clients. Specify "default", "loopback", or "vnm" to automatically allocate an available address from the corresponding IP range configured in the organization. (default: "default") --certificate-authority value (secret) --client-certificate value (secret) --client-key value (secret) --discovery-enabled Enable discovery for the cluster. --discovery-username value The user to impersonate in the cluster when running discovery. Required if the cluster is configured for identity aliases. (conditional) --egress-filter value apply filter to select egress nodes e.g. 'field:name tag:key=value ...' --healthcheck-namespace default This path will be used to check the health of your connection. Defaults to default. --hostname value (required) --identity-alias-healthcheck-username value (conditional) --identity-set-id value --identity-set-name value set the identity set by name --port value (required) (default: 443) --port-override value Port on which to listen for connections to this resource on clients. Specify "-1" to automatically allocate an available port. (default: -1) --proxy-cluster-id value proxy cluster id --secret-store-id value secret store id --subdomain value, --bind-subdomain value DNS subdomain through which this resource may be accessed on clients (e.g. "app-prod" allows the resource to be accessed as "app-prod.."). Only applicable to HTTP-based resources or resources using virtual networking mode. --tags value tags e.g. 'key=value,...' --template, -t display a JSON template --timeout value set time limit for command ``` 3. Then run `sdm admin clusters add kubernetes ` and set all required properties with their values. For example: ```sh sdm admin clusters add k8s "k8s-cluster-prod" --hostname "k8s-prod01.acme.internal" --port 443 --certificate-authority "/etc/strongdm/certs/k8s-ca.crt" --client-certificate "/etc/strongdm/certs/k8s-client.crt" --client-key "/etc/strongdm/certs/k8s-client.key" --identity-set-name "K8s Cluster Admins" --identity-alias-healthcheck-username "svc_k8s_health" --discovery-enabled --discovery-username "sdm-discovery" --healthcheck-namespace "default" --bind-interface "default" --port-override -1 --egress-filter 'field:name tag:env=prod tag:region=us-west' --proxy-cluster-id "plc_0123456789abcdef" --secret-store-id "ss_abcdef0123456789" --subdomain "k8s-prod01" --tags "env=prod,platform=kubernetes,auth=cert,team=devops" --timeout 30 ``` 4. Check that the resource has been added. The output of the following command should show the resource's name: ```sh sdm admin clusters list ``` {% endtab %} {% tab title="Terraform" %} **Set up and Manage With Terraform** This section provides an example of how to configure and manage the resource using the Terraform provider. For more information and examples, please see the [Terraform provider](https://github.com/strongdm/terraform-provider-sdm) documentation. ```hcl # Install StrongDM provider terraform { required_providers { sdm = { source = "strongdm/sdm" version = "16.5.0" } } } # Configure StrongDM provider provider "sdm" { # Add API access key and secret key from the Admin UI api_access_key = "njjSn...5hM" api_secret_key = "ziG...=" } # Create Kubernetes cluster resource "sdm_resource" "k8s_cluster_prod" { k8s { # Required name = "k8s-cluster-prod" # hostname = "k8s-prod01.acme.internal" # --hostname port = 443 # --port (default 443) # TLS / client auth (recommended: use secret store) certificate_authority = file("/etc/strongdm/certs/k8s-ca.crt") # --certificate-authority client_certificate = file("/etc/strongdm/certs/k8s-client.crt") # --client-certificate client_key = file("/etc/strongdm/certs/k8s-client.key") # --client-key # Identity & discovery identity_set_name = "K8s Cluster Admins" # --identity-set-name identity_alias_healthcheck_username = "svc_k8s_health" # --identity-alias-healthcheck-username (conditional) discovery_enabled = true # --discovery-enabled discovery_username = "sdm-discovery" # --discovery-username healthcheck_namespace = "default" # --healthcheck-namespace # Common networking options bind_interface = "default" # --bind-interface ("default" | "loopback" | "vnm") port_override = -1 # --port-override (-1 = auto-allocate) egress_filter = "field:name tag:env=prod tag:region=us-west" # --egress-filter subdomain = "k8s-prod01" # --subdomain / --bind-subdomain (for VN access) # Optional integrations proxy_cluster_id = "plc_0123456789abcdef" # --proxy-cluster-id secret_store_id = "ss_abcdef0123456789" # --secret-store-id (recommended for keys/certs) # (Legacy orgs) allow fallback auth when no resource role is provided allow_resource_role_bypass = false # --allow-resource-role-bypass # Tags tags = { # --tags env = "prod" platform = "kubernetes" auth = "mtls" team = "devops" } } } ``` {% endtab %} {% tab title="SDKs" %} **Set up and Manage With SDKs** In addition to the Admin UI, CLI, and Terraform, you may configure and manage your resource with any of the following SDK options: Go, Java, Python, and Ruby. Please see the following references for more information and examples. | Go | ​[pkg.go.dev](https://pkg.go.dev/github.com/strongdm/strongdm-sdk-go/v17)​ | ​[strongdm-sdk-go](https://github.com/strongdm/strongdm-sdk-go)​ | ​[Go SDK Examples](https://github.com/strongdm/strongdm-sdk-go-examples)​ | | ------------- | -------------------------------------------------------------------------- | ------------------------------------------------------------------------ | --------------------------------------------------------------------------------- | | Java | ​[javadoc](https://strongdm.github.io/strongdm-sdk-java-docs/)​ | ​[strongdm-sdk-java](https://github.com/strongdm/strongdm-sdk-java)​ | ​[Java SDK Examples](https://github.com/strongdm/strongdm-sdk-java-examples)​ | | Python | ​[pdocs](https://strongdm.github.io/strongdm-sdk-python-docs/)​ | ​[strongdm-sdk-python](https://github.com/strongdm/strongdm-sdk-python)​ | ​[Python SDK Examples](https://github.com/strongdm/strongdm-sdk-python-examples)​ | | Ruby | ​[RubyDoc](https://www.rubydoc.info/gems/strongdm)​ | ​[strongdm-sdk-ruby](https://github.com/strongdm/strongdm-sdk-ruby)​ | ​[Ruby SDK Examples](https://github.com/strongdm/strongdm-sdk-ruby-examples)​ | | {% endtab %} | | | | | {% endtabs %} | | | | ## Resource properties The **Kubernetes** cluster type has the following properties. | Property | Requirement | Description | | ----------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Display Name** | Required | Meaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >) | | **Resource Type** | Required | **Kubernetes** | | **Proxy Cluster** | Required | Defaults to "None (use gateways)"; if using [proxy clusters](/admin/networking/proxy-clusters.md), select the appropriate cluster to proxy traffic to this resource | | **Hostname** | Required | Hostname or IP address of the Kubernetes API server, such as `api.kubernetes.example.com`; relay server should be able to [connect to your Kubernetes API server](#prerequisites) | | **Port** | Required | Port to connect to the API server; default port value **443** | | **Connectivity Mode** | Required | Select either **Virtual Networking Mode**, which lets users connect to the resource with a software-defined, IP-based network; or **Loopback Mode**, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if [Virtual Networking Mode](/admin/clients/client-networking/virtual-networking-mode.md) enabled for your organization | | **IP Address** | Optional | If **Virtual Networking Mode** is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if **Loopback Mode** is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, `127.0.0.1`); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if [Virtual Networking Mode](/admin/clients/client-networking/virtual-networking-mode.md) and/or [multi-loopback mode](/admin/clients/client-networking/loopback-ip-ranges.md) is enabled for your organization | | **Port Override** | Optional | If **Virtual Networking Mode** is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if **Loopback Mode** is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the [Port Overrides settings](/admin/resources/port-overrides.md) | | **DNS** | Optional | If Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, `k8s.my-organization-name`) instead of the bind address that includes IP address and port (for example, `100.64.100.100:5432`) | | **Secret Store** | Optional | Credential store location; defaults to none (credentials are stored in StrongDM resource configuration); to learn more, see [Secret Store options](#secret-store-options) | | **Server CA** | Optional | Pasted server certificate (plaintext or Base64-encoded), or imported PEM file; you can either generate the server certificate on the API server or get it in Base64 format from your existing [Kubernetes configuration (kubeconfig) file](#server-ca) | | **Client Certificate** | Optional | Pasted client certificate (plaintext or Base64-encoded), or imported PEM file; you can either generate the client certificate on the API server or get it in Base64 format from your existing [Kubernetes configuration (kubeconfig) file](#client-certificate) | | **Client Key** | Optional | Pasted client key (plaintext or Base64-encoded) or imported PEM file; you can either generate the client key on the API server or get it in Base64 format from your existing [Kubernetes configuration (kubeconfig) file](#client-key) | | **Healthcheck Namespace** | Optional | If enabled for your organization, the namespace used for the resource healthcheck; defaults to `default` if empty; supplied credentials must have the rights to perform one of the following kubectl commands in the specified namespace: `get pods`, `get deployments`, or `describe namespace` | | **Enable Resource Discovery** | Optional | Enables [automatic discovery](#resource-discovery) within this cluster | | **Authentication** | Required | Authentication method to access the cluster; select either **Leased Credential** (default) or **Identity Aliases** (to use the Identity Aliases of StrongDM users to access the cluster) | | **Identity Set** | Required | Displays if **Authentication** is set to **Identity Aliases**; select an Identity Set name from the list | | **Healthcheck Username** | Required | If **Authentication** is set to **Identity Aliases**, the username that should be used to verify StrongDM's connection to it; username must already exist on the target cluster | | **Resource Tags** | Optional | Resource [Tags](/references/cli/tags.md) consisting of key-value pairs `=` (for example, `env=dev`) | ### **Display name** Some Kubernetes management interfaces, such as Visual Studio Code, do not function properly with cluster names containing spaces. If you run into problems, please choose a **Display Name** without spaces. ### **Client credentials** When your users connect to this cluster via StrongDM, they have exactly the same rights as the user associated with these keys. Make sure to consider this prior to setup. ### **Server CA** How to get the **Server CA** from your kubeconfig file: 1. Open the CLI and type `cat ~/.kube/config` to view the contents of the file. 2. In the file, under `- cluster`, copy the `certificate-authority-data` value. That is the server certificate in Base64 encoding. ```yaml - cluster: certificate-authority-data: ... SERVER CERT BASE64 ... ``` **Client certificate** How to get the **Client Certificate** from your kubeconfig file: 1. From the CLI, type `cat ~/.kube/config` to view the contents of the file. 2. In the file, under `- name`, copy the `client-certificate-data` value. That is the client certificate in Base64 encoding. ```yaml - name: clusterUser_StrongDM_example user: client-certificate-data: ... CLIENT CERT BASE64... ``` ### **Client key** How to get the **Client Key** from your kubeconfig file: 1. Open the CLI and type `cat ~/.kube/config` to view the file. 2. In the file, under `- name`, copy the `client-key-data` value. That is the client private key in Base64 encoding. ```yaml - name: clusterUser_StrongDM_example user: client-key-data: ... CLIENT PRIVATE KEY BASE64... ``` ### **Secret Store** By default, server credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool. Non-StrongDM options appear in the **Secret Store** dropdown if they are created under **Settings** > **Secrets Management**. When you select another Secret Store type, its unique properties display. For more details, see [Configure Secret Store Integrations](/admin/access/secret-stores.md). ## Test the Connection 1. After creating the Kubernetes cluster resource in the Admin UI, navigate to **Infrastructure > Clusters** and locate your newly added cluster. The health indicator should turn green once connectivity and credentials are validated. 2. On a test client using the StrongDM desktop app or CLI, connect to the cluster and run a basic command such as `kubectl get nodes`. Confirm the output returns your nodes and the connection is routed via StrongDM. 3. If discovery is enabled, in the Admin UI verify that namespaces, roles, and service accounts appear under the cluster’s **Discovery** tab. This indicates StrongDM successfully queried the Kubernetes API. 4. If the health status remains red or yellow: * Verify the cluster’s hostname, port, and base credentials (CA, client certificate/key) are correct and reachable from your relay or gateway. * Check the certificate-authority and client credentials if using mTLS. * Confirm the `healthcheck_namespace` exists and the identity alias or health-check user (if specified) has the permissions to `get pods`, `get deployments`, or `describe namespace`. * Review the **Diagnostics** tab for authentication or network errors. Once connectivity is verified and you can perform Kubernetes operations successfully, the cluster resource is ready. You can assign roles, apply policies, and monitor access through StrongDM. ## Help If you encounter issues, please consult the [StrongDM Help Center](https://help.strongdm.com/hc/en-us). Be prepared to provide the following information to StrongDM Support, so that they can inspect logs and confirm node and resource health: * Resource name or ID * CLI error output or logs * Node name and region * Timestamps of failed attempts --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/resources/clusters/kubernetes.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.